During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

+

On Windows 7

+

<pre>

+

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

+

</pre>

−

In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].

+

== History ==

+

The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.

−

At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].

+

This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.

−

==Bibliography==

+

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.